Re: FreeS/WAN - isakmpd

[goony <goony@inwind.it>]

> Okay, it looks like it may be breaking down in phase 1, but i'm not all 
> that familiar with OpenBSD isakmpd log messages. A tcpdump trace would 
> help, as would debug messages from FreeS/WAN. Set plutodebug=all and/or 
> klipsdebug=all on the Linux side and look in Your log file. Perhaps we 
> should continue this off-list, as log files can be really big 
> (especially from FreeS/WAN).

Ok, this after "service ipsec restart":

root@test ~# tail -f /var/log/messages 
Dec  6 16:05:38 test kernel: klips_debug:pfkey_safe_build: error=0
Dec  6 16:05:38 test kernel: klips_debug:pfkey_safe_build:success.
Dec  6 16:05:38 test kernel: klips_debug:pfkey_safe_build: error=0
Dec  6 16:05:38 test kernel: klips_debug:pfkey_safe_build:success.
Dec  6 16:05:38 test kernel: klips_debug:pfkey_msg_build: pfkey_msg=c6782840 allocated 32 bytes, &(extensions[0])=c74bde04
Dec  6 16:05:38 test kernel: klips_debug:pfkey_msg_build: copying 16 bytes from extensions[15]=c67828a0 to=c6782850
Dec  6 16:05:38 test kernel: klips_debug:pfkey_msg_build: extensions permitted=0000c001, seen=00008001, required=00000001.
Dec  6 16:05:38 test kernel: klips_debug:pfkey_upmsg: allocating 32 bytes...
Dec  6 16:05:38 test kernel: klips_debug:pfkey_upmsg: ...allocated at c69da660.
Dec  6 16:05:38 test kernel: klips_debug:pfkey_register_parse: sending up register reply message for satype=9(IPIP) to socket=c6f8dcc0 succ
eeded.

from tcpdump of third machine...


17:04:15.754681 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
17:04:15.754884 arp who-has hate.intranet tell 192.168.11.192
17:04:15.754983 arp reply hate.intranet is-at 0:0:86:44:9f:92
17:04:15.755158 192.168.11.192 > hate.intranet: icmp: 192.168.11.192 udp port 500 unreachable [tos 0xc0] 
17:04:24.767294 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
17:04:35.783648 hate.intranet.500 > 192.168.11.192.500: isakmp: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))

Note this line from log
17:04:15.755158 192.168.11.192 > hate.intranet: icmp: 192.168.11.192 udp port 500 unreachable [tos 0xc0]

192.168.11.192 is Trustix machine
192.168.11.127 (hate) OpenBSD


- From OpenBSD box: :(((

16:11:42 ~ # netstat -na | grep 500
udp        0      0  *.500                  *.*                   
udp        0      0  192.168.11.127.500     *.*                   
udp6       0      0  *.500                  *.*                   
0xd0a4a974 stream      0      0        0x0 0xd0a99500        0x0        0x0


16:11:13 ~ # netstat -rn -f encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)


- From Linux box:

root@test ~# netstat -punta
udp        0      0 192.168.11.192:500      0.0.0.0:*                           9700/pluto          




-- 
goony <goony@OpenBEER.it>
"Beer OpenBSD User Group" founder - http://www.OpenBEER.it
KeyID: 1024D/1CDA1B3D
Fingerprint: CDF5 5246 D424 CF61 0330  A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: http://www.OpenBEER.it/keys/goony.gpg